Malware

South Korean corporations hit by widespread attack that wiped data and shut down systems

Researchers discovered that attackers used data-wiping malware to cripple critical businesses throughout South Korea, where several banks and news organizations began reporting widespread cyber attacks.

On Wednesday, broadcast companies and banks began reporting a number of technical issues, from downed websites and blocked servers to infections that erased pertinent company files.

According to The New York Times, major banks in South Korea, NongHyup and Jeju, reported malware outbreaks that destroyed computer files. The Times also reported that Shinhan Bank's internet banking servers were temporarily blocked Wednesday.

The computers of KBS and MBC television station employees reportedly froze, as well, in addition to KBS' website becoming inoperable.

Researchers at Symantec said a trojan named “Jokra” was used in attacks where data was destroyed.

According to a Wednesday blog post from Symantec, Jokra is capable of overwriting a computer's master boot record (MBR) and all data stored on it. The trojan also attempts to repeat this data-wiping process on any drives “attached or mapped to the compromised computer.” Later Wednesday, Symantec said further research has turned up a wiper component that erases Linux machines.

Symantec found no evidence that the trojan was related to Shamoon, data-wiping malware that targeted the energy sector in the Middle East last August.

Satnam Narang, a Symantec researcher, told SCMagazine.com that typically attacks that target critical industries are typically motivated by corporate or government espionage. But that's not the case here.

“This is a different scenario, where you aren't having data extracted,” Narang said. “This is destroying data simply for the purpose of destroying it.

In the blog post, Symantec suggested the individuals responsible for the attacks could be state sponsored or  “nationalistic hacktivists taking issues into their own hands.” 

“The real motives of the attack are also unclear but in recent times there has been a ramping up of political tensions in the Korean peninsula,” Symantec said of North and South Korea tensions.

Manchester, N.H.-based Renesys, which provides real-time global internet monitoring, found that both South and North Korean networks experienced disconnections on Wednesday, although it was unclear whether the outages were directly related to the reported cyber attacks.

Renesys found that five networks at Korea Broadcasting System were knocked offline, while the Yonhap News Network experienced similar downtime on two networks, Doug Madory, a senior research engineer at Renesys, said in a blog post. The company also detected network outages at Korea Gas Corp., the world's largest liquefied natural gas importer, and Shinhan Bank.

Between Monday and Tuesday, the firm also noted a rare spike in network disruptions in North Korea.

“On Monday and [Wednesday] morning, we observed outages lasting for just a few minutes in North Korea,” Renesys said. “It should be noted that although North Korea's internet is small, it is very stable. Until last week, North Korean outages had been very rare.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.